diff --git a/src/tools/BashTool/bashPermissions.test.ts b/src/tools/BashTool/bashPermissions.test.ts
new file mode 100644
index 00000000..f45d8459
--- /dev/null
+++ b/src/tools/BashTool/bashPermissions.test.ts
@@ -0,0 +1,59 @@
+import { afterEach, expect, test } from 'bun:test'
+
+import { getEmptyToolPermissionContext } from '../../Tool.js'
+import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
+import { bashToolHasPermission } from './bashPermissions.js'
+
+const originalSandboxMethods = {
+  isSandboxingEnabled: SandboxManager.isSandboxingEnabled,
+  isAutoAllowBashIfSandboxedEnabled:
+    SandboxManager.isAutoAllowBashIfSandboxedEnabled,
+  areUnsandboxedCommandsAllowed: SandboxManager.areUnsandboxedCommandsAllowed,
+  getExcludedCommands: SandboxManager.getExcludedCommands,
+}
+
+afterEach(() => {
+  SandboxManager.isSandboxingEnabled =
+    originalSandboxMethods.isSandboxingEnabled
+  SandboxManager.isAutoAllowBashIfSandboxedEnabled =
+    originalSandboxMethods.isAutoAllowBashIfSandboxedEnabled
+  SandboxManager.areUnsandboxedCommandsAllowed =
+    originalSandboxMethods.areUnsandboxedCommandsAllowed
+  SandboxManager.getExcludedCommands = originalSandboxMethods.getExcludedCommands
+})
+
+function makeToolUseContext() {
+  const toolPermissionContext = getEmptyToolPermissionContext()
+
+  return {
+    abortController: new AbortController(),
+    options: {
+      isNonInteractiveSession: false,
+    },
+    getAppState() {
+      return {
+        toolPermissionContext,
+      }
+    },
+  } as never
+}
+
+test('sandbox auto-allow still enforces Bash path constraints', async () => {
+  ;(globalThis as unknown as { MACRO: { VERSION: string } }).MACRO = {
+    VERSION: 'test',
+  }
+
+  SandboxManager.isSandboxingEnabled = () => true
+  SandboxManager.isAutoAllowBashIfSandboxedEnabled = () => true
+  SandboxManager.areUnsandboxedCommandsAllowed = () => true
+  SandboxManager.getExcludedCommands = () => []
+
+  const result = await bashToolHasPermission(
+    { command: 'cat ../../../../../etc/passwd' },
+    makeToolUseContext(),
+  )
+
+  expect(result.behavior).toBe('ask')
+  expect(result.message).toContain('was blocked')
+  expect(result.message).toContain('/etc/passwd')
+})
diff --git a/src/tools/BashTool/bashPermissions.ts b/src/tools/BashTool/bashPermissions.ts
index 288c7e97..af4f7ecc 100644
--- a/src/tools/BashTool/bashPermissions.ts
+++ b/src/tools/BashTool/bashPermissions.ts
@@ -1814,7 +1814,10 @@ export async function bashToolHasPermission(
       input,
       appState.toolPermissionContext,
     )
-    if (sandboxAutoAllowResult.behavior !== 'passthrough') {
+    if (
+      sandboxAutoAllowResult.behavior === 'deny' ||
+      sandboxAutoAllowResult.behavior === 'ask'
+    ) {
       return sandboxAutoAllowResult
     }
   }